updates to yubikey post

content/yubikey_for_everything.md

@@ -1,10 +1,12 @@
 Title: Yubikey for EVERYTHING
-Date: 2018-06-27T15:17+02:00
+Date: 2018-07-07T23:06+02:00
 Author: Wxcafé
 Category: 
 Slug: content/yubikey_for_everything
 Header_Cover: //pub.wxcafe.net/img/yubikey_cover.jpeg
 
+###### EDIT: Update 07/07/2018, added `SSH_AUTH_SOCK` information, a few pointers about key generation and backup, and info about gpg-agent's bad behavior.
+
 When I first started at the job I'm currently at at [Gandi](https://gandi.net),
 I was given a Yubikey NEO, looked into it for a few minutes and quickly decided
 to not give more thought about it. I put it away and didn't look back, partly
@@ -54,7 +56,14 @@ Anyways, here's how to use this thing:
 
 - We're gonna start by adding our [GPG
   subkeys](https://alexcabal.com/creating-the-perfect-gpg-keypair/) to the
-  yubikey. This is really easy, since the yubikey is detected as a smartcard by
+  yubikey. That article covers pretty much everything, *except* generating an
+  Authentication subkey, which is done by doing `gpg --expert --edit-key
+  <KeyID>`, then `addkey`. You now need to select "(8) RSA (set your own
+  capabilities)" as the type of key, then type `S` to toggle signing off, `E` to
+  toggle encryption off, and finally `A` to toggle authentication on. Type `Q`
+  to confirm and quit, then keep as usual for the key size/expiration date/etc.
+  You're now done, and we can start by setting up the yubikey.
+  This is really easy, since the yubikey is detected as a smartcard by
   gpg:
 
 ```
@@ -161,7 +170,10 @@ The default PINs are `123456` for the user PIN and `12345678` for the admin PIN.
 
 Do take caution to export the private keys for safekeeping *BEFORE* moving them
 to the yubikey (the gpg `keytocard` command *MOVES* the keys, after you've run it
-*you don't have the private keys available anymore to backup*)
+*you don't have the private keys available anymore to backup*) (backups are
+easily done with `gpg --armor --export-secret-keys <KeyID> > out.asc` and `gpg
+--armor --export-secret-subkeys <KeyID> > subkeys_out.asc`. You obviously need
+to save these to a secure location.)
 
 Now that we've prepped the card, we're gonna move the keys over to it. We're
 gonna move only the subkeys over, and since we're gonna need to use the yubikey
@@ -401,13 +413,32 @@ keys on the card. They're not needed anymore since for a while now, gpg
 Now we want to use our gpg authentication key with SSH, to log in to our
 servers. To do that, we need to tell gpg-agent to act as an ssh-agent, by adding
 a single line to its configuration: `echo 'enable-ssh-support' >>
-.gnupg/gpg-agent.conf`. Then we restart gpg-agent (`gpgconf --kill gpg-agent`)
-and we should be set. Unplug the key, plug it back in, run `gpg --card-status`,
+.gnupg/gpg-agent.conf`. Then we restart gpg-agent (`gpgconf --kill gpg-agent`).
+Then, we need to tell ssh to use gpg-agent's socket as its agent. We do this by
+adding a small snippet to our `$shrc` (for me, `~/.zshrc`):
+
+```shell
+## use gpg agent as ssh agent
+if which gpgconf 2>&1 >>/dev/null ; then
+	unset SSH_AGENT_PID
+	if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
+	  export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
+	fi
+fi
+```
+
+Unplug the key, plug it back in, run `gpg --card-status`,
 then `ssh-add -L` should show you a public key that ends with
 `cardno:xxxxxxxxxxxx`. That means it's done, you can now add this public key to
 `.ssh/authorized_keys` on your remote systems and you should be able to log in
 with that key.
 
+Oh, and, side note. `gpg-agent` won't actually delete your cached keys when you
+`ssh-add -D`, which is fucking bullshit, but in the meantime the solution is to
+`gpg-connect-agent`, then `KEYINFO --ssh-list --ssh-fpr` to list the cached
+keys, and then you can `DELETE_KEY <FINGERPRINT>` that particular key, with the
+fingerprint being the part right after KEYINFO. Quit by saying `/bye`
+
 ---
 
 ### X.509 key and certificate storage